Security Warning For Microsoft Office Web Components

Microsoft warns there are three security vulnerabilities in Office Web Components -- software used to give users limited Office functionality in a Web browser -- the most serious of which could enable an attacker to execute commands on a user's system.

Microsoft on Wednesday published a bulletin warning of three security vulnerabilities in Office Web Components (OWC), software used to give users limited Office functionality in a Web browser. The most serious of the vulnerabilities could enable an attacker to execute commands on a user's system.

OWC is a series of Active X controls that enable users to view and, to some extent, manipulate Office applications via a Web browser, without having to install the full Office application. The vulnerabilities cited by Microsoft exist in three OWC functions: Host, Load Text and Copy/Paste.

The Host vulnerability is the most serious. By design, the function provides access to application object models on the user's system. The vulnerability would enable an attacker to open an Office application on the user's system and take any action that the user could take, Microsoft's security bulletin says. That includes loading and running programs, altering data and changing security settings.

The other two vulnerabilities enable attackers to read data from the victim's system. In the case of the Load Text vulnerability, the attacker would have to know the path and name of the file before being able to access it. The Copy/Paste vulnerability enables attackers to view only data that happens to be in the user's clipboard.

Microsoft also noted that, to take advantage of any of the vulnerabilities via the Web, an attacker would have to entice the user to visit another Web site where code that invokes the attack method exists. Alternatively, the attacker could send the attack code via email as an HTML page, although mail clients that disallow Active X controls would foil that strategy.

Microsoft recommends that customers using the affected software apply the appropriate patch immediately. Patch and further information is available in Microsoft Security Bulletin MS02-044, at: www.microsoft.com/technet/security/bulletin/MS02-044.asp.